CVE-2025-52520

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.

Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
apacheCNA
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
tomcat10
bookworm
vulnerable
bookworm (security)
vulnerable
trixie
vulnerable
sid
vulnerable
tomcat11
trixie
vulnerable
sid
vulnerable
tomcat9
bullseye
vulnerable
bullseye (security)
vulnerable
bookworm
9.0.70-2
fixed
trixie
9.0.95-1
fixed
sid
9.0.95-1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5